Our increasingly connected globe has resulted in more data being generated each and every year, a progression that has become geometric. The world produced more data in 2017 than in the previous 5,000 years of recorded human history combined, according to Art Landro, the CEO of Sencha, a company that develops data-centric websites and applications.

What’s more, the value of data in the aggregate has increased over time, as computing power and human ingenuity advanced in tandem to apply the data to answer a myriad of questions, including such important issues as drug efficacy, crop fertility, weather forecasting, and—of course—consumer and voter behavior. So as we produce more data, we are doing more with it as well—or at least not disposing of it.

As data become more valuable, governments across the globe have responded by asserting more control over the data produced in their jurisdiction. Often these rules require that companies collecting data in a country also maintain the data in that country. Governments often justify these “data localizations” requirements by appealing to the need to ensure cyber-security or maintain the privacy of citizens.

There are certainly a range of legitimate interests in the realm of sovereignty, security, and human rights that may conflict with economic considerations. But broad data localization requirements can tip into “data protectionism” whose effect may be to impede the continued growth of international trade. The U.S. International Trade Commission (ITC) reports that half of all global trade in services depends on access to cross-border data flows.

In short, the rhetoric and motivations for continued actions to restrict data flows across borders should always be subject to strict scrutiny.

Types of data localization / James Kaplan and Kayvaun Rowshankish, partners with the consulting firm McKinsey & Co., suggest in an article published in the Global Commission on Internet Governance that there are four main categories of data localization, listed below from most to least stringent:

  • Geographical restrictions on data export (“data copy cannot leave”), which force foreign companies to create separate in-country servers or other infrastructure to hold the data. South Korea and Egypt impose a variant of this.
  • Geographical restrictions on data location require foreign companies to retain a local replica of the data. Indonesia and Malaysia impose such rules on businesses operating within their borders.
  • Permission-based regulations mandate that foreign companies must gain consent from their customers for cross-border data transfer. Brazil, Argentina, Switzerland, and Luxembourg each require some sort of permission before data can be transferred.
  • Standards-based regulations allow foreign companies to move data freely but companies must ensure security and privacy for customers.

Data localization can also be classified according to whether it is absolute or conditional. Absolute measures stipulate that some combination of data storage, processing, and access must occur locally. Conditional measures, in contrast, effectively ban the exit of data from the jurisdiction by placing extremely restrictive conditions.

The ITC tracks the growth of data localization worldwide. By their estimation, such measures have grown sharply over the last few years in apparent lockstep with the growth of data.

Increasing data localization has imposed higher costs on multinational firms that operate across borders. By constraining the freedom to share data across locales around the globe, these regulations force firms to hire more people in the country where the data originated rather than permitting companies to locate the operations where their staff is best-equipped for the particular task. Such restrictions concomitantly limit potential productivity gains and essentially force firms to make costly investments in local data infrastructure to comply with local content laws. Ultimately, other businesses and their consumers pay the costs of data restrictions via higher prices and less choice. In the long run, such rules ultimately create smaller, less robust markets across the globe.

Estimated economy-wide losses / Several organizations have conducted econometric studies to understand the economy-wide effect of data localization measures. Table 1 shows the findings of the European Center for International Political Economy (ECIPE) along several key metrics.

Other research echoes ECIPE’s findings. In 2014 the ITC found that “foreign digital trade barriers” depressed U.S. gross domestic product by 0.1–0.3%, which amounts to between $16.7 billion and $41 billion per annum. A study conducted in 2016 jointly by the Center for International Governance Innovation (CIGI) and Chatham House estimated that digital trade barriers reduced GDP by 0.10% in Brazil, 0.55% in China, 0.48% in the EU, and 0.58% in South Korea.

Payment companies in China / The operations of digital payment companies in China are an excellent example of the business strategy quandaries presented by data localization measures. Digital payments in China have been rising at a stunning rate, from 6.3 per Chinese resident in 2011 to 26.1 in 2015. Considering that in developed countries such as Germany, France, and the United States, 200–400 such payments are made annually per person, and considering the 1‑billion-plus Chinese population, the long-term growth potential in China is enormous for the digital payments industry.

The market includes more than traditional payments from transaction charges, transfer fees, interest income, and maintenance fees. These data can be monetized into many lucrative income streams, including targeted advertising for merchants based on smartphone location, customized information on likelihood of repayment, and precise measurements of customer tolerance of financial risk.

Developing the full scope of the business model depends upon the ownership of the data streams, and that is now problematic for non-Chinese companies. Last year China’s new Cybersecurity Law took effect. Of particular concern is a mandate that “critical information infrastructure” must store personal information and other important data on servers physically located within mainland China. This clearly constitutes a data localization provision, and a very wide assortment of digital activities could be subject to it because of the vagueness of the provision.

Foreign companies thus must install and maintain data servers within China and accept the risk of unpredictable penalties as a result of the open-ended nature of the legislation. This makes sustained investment very challenging. Kaplan and Rowshankish, the McKinsey consultants, state:

Executives reported that they have severe difficulties gaining a clear and comprehensive view of the full set of regulations. Many are worded so vaguely that it is impossible, they say, to predict what is and is not allowable.… The uncertain environment makes it particularly difficult to plan and execute large technology investments.

How can digital payment companies invest in China in such a climate? Many find they have little choice but to submit: if companies choose not to participate, their competitors can potentially grab the market and use a first-mover advantage to reap a windfall as the value of data explodes.

Policy options / The preponderance of global trade restrictions creates difficult tradeoffs for tech companies and other multinationals that depend on data for their business. Governments face difficult tradeoffs as well. They wish to attract foreign investment while protecting their citizens according to their own national values of privacy, security, and human rights. They wish to adjudicate data-related disputes in their own domestic legal systems, and in a post–Edward Snowden world, they desire to avoid foreign surveillance of domestic data.

Regulation - Summer 2018 - Briefly Noted - 7 - Table 1

Attempts to regulate this situation through trade agreements have run aground. To some extent these failures reflect the underlying difficulty of reconciling commercial and noncommercial data. Only a fraction of the growing volume of cross-border data flows is of a financial, commercial, or transactional nature. Most personal data take the forms of emails, videos, text messages, and phone calls.

Typically, trade agreements conduct dispute resolution through panels of trade lawyers. But when cross-border data leads to disputes involving civil matters such as torts or criminal matters such as harassment, and when these disputes would normally engage local courts in domestic legal systems, trade lawyers cannot appropriately handle such matters. In addition to the practical difficulties involved in harmonizing enforcement across widely differing domestic judicial systems, the larger Westphalian nation-state principle of noninterference in the internal affairs of other nations presents another obstacle.

Nevertheless, for the continued growth of global trade, some type of reciprocated balancing must take place between the needs of global businesses and the prerogatives of sovereign governments. Perhaps the place of departure could involve, at least initially, recognizing the sheer multidimensional complexity of the matter. Progress toward new solutions may proceed from awareness that most cross-border data flows are not in fact trade-related.

Could it be possible, then, to imagine a world in which each differentiated dimension of cross-border data is regulated by a separate type of agreement, within a different sphere of international law? Could law enforcement, trade, cybersecurity, and other domains each receive their own separate international agreement, so as to avoid the pitfalls of previous attempts at “all-in-one grand bargains” that fall apart if any one element cannot be agreed? In a world in which economic protectionism is on the rise, finding a new path forward for “data protectionism” is of great importance.

Would Congress Ever Take Responsibility?

Although seemingly allergic to responsibility, legislators might just enact a pro-responsibility bill. Now, as Frances Lee demonstrates in her 2016 book Insecure Majorities, both parties “champion ‘all gain, no pain’ positions,” such as the Clean Air Act and the REINS bill, in order to appeal to their bases, hide the harm done to other interests, and win majorities in Congress.

Yet, this dynamic could change. One of the parties might come to find that shouldering responsibility would appeal to centrist voters and be more effective at winning majorities. Here’re some indicia:

  • Many voters do want elected lawmakers to take responsibility for regulations. For example, a 2017 Rasmussen poll found that voters, by a margin of 56% to 25%, believe that Congress should have to vote on major EPA regulations before they go into effect.
  • Distrust of the federal government in general and Congress in particular has reached record levels in recent years. No wonder. Congress is supposed to compromise on the differences among us, but its “all gain, no pain” techniques inflame the differences and bring erratic government.
  • As the parties in Congress have grown more rabid, an increasing portion of voters identify themselves as independents.

Besides, many members of Congress are not just incumbent reelection machines. Some want to be proud of the work they do. Some want to be part of an institution that is not despised. Some want to be statesmen.

Regulation as usual is under threat from another direction. A small group, the Madison Coalition, has gotten the legislatures of 26 states to pass resolutions calling for Congress to propose a constitutional amendment that would, in essence, put Landis’s legislative veto into the Constitution. The support to date is still short of what is needed to amend the Constitution, but that a small group with scant resources has gotten so far in a few years suggests the vulnerability of the present, responsibility-shirking system. Still, I prefer the Responsibility for Regulation Act to the constitutional amendment because statutes are easier to get, easier to change, and Congress could use the act only to vote on major regulations rather than individual cases.

I don’t know what the future will bring. But the political parties in Congress may well find themselves in a race to show they are willing to shoulder responsibility.